I’m running R4.1, and I have a habit of running sudo qubes-dom0-update almost daily. I’ve noticed that on most days there are updates for the fedora-32 that runs dom0, to the point where it’s becoming alarming, since my understanding is that dom0 shouldn’t be updated that often as it’s the bedrock of Qubes OS’ security and updating exposes it to bugs and vulnerabilities.
I have several questions:
Am I wrong with any of my assumptions?
Is this unique to R4.1 (I don’t remember R4.0.3 being this busy, but that’s probably because it runs on fedora-28 which is no longer maintained)
Is there anything that can be done to reduce the risk here? Is not updating dom0 worse than updating it?
As some established and knowledgeable members have noted, fedora is updated so frequently it can be considered unstable–is it wise to continue entrusting dom0 to fedora?
Did you notice that 4.1 is not a stable version and not even a release candidate? This is experimental testing version, so if you are concerned about security, you just should not use it. It’s not even listed in Downloads.
In short, if R4.0 were to use fedora-32 dom0, we’d be seeing the same amount of updates. While I acknowledge that security wouldn’t be as strong in an unstable alpha, the fundamental problem of fedoras (current revision) frequent updates remains.
I cross checked the Qubes releases EOL dates against the Fedora EOL list and didn’t find a significant correlation. Maybe you’re seeing something I’m not; please elaborate.
Qubes 3.2 was supported from 2016-09-29 until 2019-03-28, while Fedora 23 in its dom0 was supported until 2016-12-20, i.e. dom0 had unmaintained Fedora almost all the time.
Qubes 3.1 was supported from 2016-03-09 until 2017-03-29, while Fedora 20 in its dom0 was supported until 2015-06-23, i.e. dom0 had unmaintained Fedora all the time.
I think 4.1 atm should often be updated, because it is a very early rlease for testing and of course some things are not working and u need to try several “settings” to find the best for the 4.1 final version. As soon everything is ready there will not be much updates in the stable repo, Just the testing /unstable/ community repo and else offers more updates. But if u have got a running system and don’t want to change anyting and be sure to 100% that ur system don’t get crashed by an update feel free to disable the updates for dom0 or isn’t that possible?
It seems like you’re correct in saying there’s some correlation. Thank you for taking the time to elaborate.
Looking at the questions online regarding this, I think it’d be best if the Qubes team clarified this somewhere in the documentation (I’d edit it, but I’m still not 100% certain and don’t want to be responsible for spreading misinformation)
This correlation may be simply due to the fact that Fedora generally has a short maintenance time and when the next Qubes version is out, it’s dom0 operating system is already quite old. Such coincidence, it seems, may actually improve the security of Qubes OS.
Perhaps if the dom0 OS is replaced with Debian, it will be different and your original question about updates may still be interesting. Maybe it would be better to use oldstable Debian version in dom0?
Come to think of it, I just do daily updates out of habit–I don’t really need to do it since (based on my limited understanding) any attacker that has reached dom0 must have breached Xen, which is already GameOver™.
But assuming R4.1 comes out before Fedora 32 reaches EOL (big assumption), what then?
@fsflover I remember reading that once the GUI- and audio-VMs have been implemented, there won’t be much left for dom0 to do, so they’re looking at smaller and safer alternatives to Fedora (like microkernels). There’s a thread out there on Github I can’t be bothered to look for.
Come to think about it, Fedora 32 was released in April last year, and R4.1 alpha has been around for longer than that. Doesn’t that mean the dom0 distribution was upgraded? Doing a quick search, I noticed that dom0 used to be Fedora 31 (/repo/yum/r4.1/current-testing/dom0/fc31).
Why would they go through the trouble of upgrading the distribution if the goal is to have it released after it has reached EOL? To get it as outdated-yet-current as possible?
From my experience dom0 gets some kernel patching every month or so it seems. Every day seems excessive. There is an option for monitoring and notifying you of dom0 updates.